
Agenda 

Evolving threats in the mobile space, 

Android malware, a case-study using a real-world bot, 

The Endace Mobile Security Platform, 

POC Deployment, Results and Issues, 

Future work and Questions 





Mobile Security Signalling Plane 

SMS Flooding attack (GSM/UMTS) 

Paging Attack (UMTS/GPRS/CDMA2000) 

Dedicated Channel attack (UMTS) 

• DCH starvation (Data Plane attack) 

• DCH<->FACH overload (Signalling Plane attack) 

Data & Control plane saturation 

• Some systems being brought down by P2P traffic 

• UTRAN DoS attacks and mis-planning are synonomgus-.. 

• ie : Telecom XT - System saturation 

• ie : AT&T iPhone blog - planned DoS attack 
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Mobile Security 

Mobile security is a new problem but growing fast 
Radio folk do not understand security 
Security folk do not understand radio ("Mind the gap") 
Attackers are learning fast - the worst yet to come 
UTRAN signalling saturation the big threat 

Mobile CSO needs tools to cover a wide responsibility 
Network Infrastructure Protection 
Fraud, LI, LEA, & Nat security engagement 
User & privacy protection ^^ 
And no Mobile security industry to work with 

endace 
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Mobile Security Issues 

Identity theft/spoofing, billing attacks, 

Difficult to get the information to easily service warrants, 

Difficult to detect and investigate fraud, 

Infrastructure DoS attacks, RAN: SIM flooding (GSM), 
Resource Starvation (CDMA2000, UMTS), 

Convergence of traditionally separate circuit switched (CS) 
planes and data planes (PS) to IP (VoIP, VoLTE), 
"traditional IP attacks" such as SYN flooding, teardrop 
attacks, are becoming easier to use, 

endaoe 



Proprietary and confidential : Endace Technology Ltd 







Botnets Architecture & Lifecycle 

• Bot is distributed/infects hosts through social engineering, 
email, VoIP, web sites, compounded by poor patching 
(OTA), 



Command and Control (C&C) required for coordinating 
attacks and distributing exploits: 

• Centralized (IRC, HTTP), IRC usually blocked by firewalls, 
HTTP easier to bypass firewall restrictions, 

• P2P (Overnet), used by the Storm bot, 

• Randomized, 

Anomalous network traffic and data patterns can b< 
detected: 

• IRC, HTTP, DNS, Netflow anomalies 








Android Exploit Surface 

• Similar Linux exploit vectors, android builds on the 
traditional Linux kernel, 

• Linux permission model, uid, gid, 

• Linux kernel, 

• udev, webkit, OpenGL, SQIite, ARM 

• "Unfamiliar" software stacks include: 

• ADB (Android Debug Bridge), 

• Binder IPC, Ashmem (Anonymous Shared Memory), 

• Dalvik VM, Zygote, Telephony stack 
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Android Exploit Vectors 

• Initial access to the device is established remotely: 

• Through the browser (webkit), 

• Through a malicious market application (DroidDream), 

• Through an exploit against the telephony stack, including 
VoIP clients (SIP/RTP stack) and VoLTE implementations, 

• Through an exploit against SMS/MMS handling, 

• Rooted through traditional and platform specific exploits, 

• Credentials, phone books, email, SMS can be retrieved and 
uploaded, 

• VoIP conversations can be recorded and uploaded,_ 






Android - DroidDream 

• Android marketplace malware, repackaged in a variety of 
different applications (Super Guitar Solo), 

• Symantec reported a total of 52 infected apps published, 

• Between 50,000 to 200,000 downloads of infected apps 
before they were pulled from the Android market, 

• Binaries contain the string "CVE-2010-EASY Android local 
root exploit (C) 2010 by 743C", 

• DroidDream, a bot, exploited two well known exploits: 
"exploid" and "rageagainstthecage", 

• Exploid: Android <= 2.1 exploited lack of message 
authentication, >Oh 

• RageAgainstTheCage: Android <= 2.2, setuid exhaustion 

attack. endace 






Android - DroidDream 

• Requires the user to trigger the exploit, 

• "Dials" home using a HTTP POST reporting the users I MSI 
and IMEI, 

• Attempts to gain root privileges using exploid and 
rageagainstthecage, 

• After a successful root installs the APK 
DownloadProviderManager.apk which periodically dials 
home and listens for commands and uploads more 
privileged information, 




C&C occurs over the 3G Gn link, or S5/S8 in LTE 






Android - DroidDream 

• Classic HTTP bot can be detected by anomaly detection 
and signature based packet matching, 

• C&C updates and downloads can be short and erratic, 
bursty, does not typically mimic user interaction, might be 
flared with "weird" NetFlow, but may give false +vs, 



alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 
(msg:"ET MOBILE_MALWARE Android Trojan DroidDream 
Command and Control Communication"; 
f l ow : e stab li sh e d, to_s e rv e r; cont e nt : "POST"; http_method; 



content : "/GMServer/GMServ l et"; nocase; 



cont e nt: " | Od 0a | Us e r - Ag e nt | 3a | D 



d 



Ivik"; 



http_uri; 
http_head 




rlaqstypp:tmjan-artivh-y; sid: 701 7453; rH v: 2; ) 

endace 







Mobile Security Platform (MSP) Focus 

• Detect IP based data plane anomalies over "traditional" 
attack avenues, web, IM, C&C, etc., 



Provide anomaly detection (NetFlow), signature matching 
(SNORT), CDR (Call Data Records) for MS (Mobile 
Subscriber) matching, full packet capture for analysis and 
user plane analytics, 

Operates over 2.5G/3G and will scale/ evolve naturally to 
provide similar protection to "4G" LTE, 

Will scale to handle large control plane (GTP-C) updates -, 
across multiple SGSN/GGSNs, 

endace 

Will scale to handle large data plane (GTP-U) pipes. 






Where we sit in a 3G/UMTS/GPRS network 
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Where we sit in a 3G/UMTS/GPRS network 
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Mobile Attach 



Standy_timer expires 




Standby 



GRPS Detach 



Paging request 
or packet sent 




GPRS Attach procedure triggers authentication, routing 
update (HLR), 

On successful GPRS Attach, PDP Context activation 
procedure is triggered, 

After successful PDP Context activation procedure MS \s~ 
assigned an IP address. 






The PDP Context 
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MSP POC Breakdown 

• Probes tap the Gn link by attaching to a SPAN port on the 
GGSN, 

• All GTP-U/C packets stored to disk for forensics, 

• All GTP-U packets de-fragmented and de-tunneled to IDS 
and network analytics, 

• GTP tunnel identifiers packed into packets as metadata to 
allow reverse mapping from Alert -> GTP Tunnel, 




GTP-C packets are forwarded to the Server for PDP 
Correlation/Tracking/Reporting/Storage, 



• Server maps from SNORT alert -> { GTP-U session, Gf P : U - 



data storage } 






MSP User Dashboard 



-101 xl 




Description 



SrclP | sPort | Pest IP | dPort | Time 



Tlui 



Agent 



Ac! ion Alert* Sid 



vfdii Id inisi 



:*'! ■ np_pp: Possible string foim.il attempt in FT., 
2 rt p jip: FTP bounce att-ac k 
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MSP POC Results 

• Successfully handled processing fragmented Gn links with 
> 3Gbps peak bandwidth and up to 1200 PDP Correlations 
per second, scales to lOGbps, 

• Tracks the attach/detach/update of 00000's of users hourly 
handled by 3 GGSNs, translating to 0000000's of PDP 
messages, 

• Successfully map the IPs of compromised hosts to MS 
IMSI/IMEI/MSISDN, 

• Wrote SNORT rules to track spyware, such as Flexisp^^^ 
Mobilespy, and track new iPadl users. 

endace 

• Store CDR data over time to allow the detailed tracking of 
users over time for forensics. 












MSP POC Issues 

• Gn tunnel IP fragmentation - large amounts of 
fragmentation came from incorrectly configured MTU sizes 
on the SGSN and from roaming sources over the GSN, 

• Vendor specific timeouts on GSNs may cause problems if 
deployment is not tuned, PDP Contexts may linger, 

• 3G Direct Tunnel (DT) CN optimization for HSPA, used to 
reduce latency by bypassing the SGSN for user-plane 
traffic, results in increasing the bandwidth utilization at the 
tap point, resource constraints are hit faster, 

• Stale PDP Contexts may be preserved during any ^ 
downtime. ^^ 





MSP Future Work 

Migration to LTE and Evolved Packet Core (EPC) 

Extensions for Lawful Intercept (LI), 

Extensions to IPFix and NetFlowv9 to GTP embed 
metadata, 

Migration to Endace DOCK Platform, 

Introduce redundancy and high availability. 
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MSP LTE and EPC 
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MSP LTE and EPC 
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MSP LTE and EPC 

• EPS Bearer serves a similar purpose as the PDP Context in 
GERAN/UTRAN networks. 

• EPS Bearer uniquely identifies traffic flows that receive a 
common QoS treatment between a UE and PDN GW for 
GTP-based S5/S8, 

• One EPS Bearer is established when the UE conects to 
PDN, 



• There is a 1 - 1 mapping between an EPS bearer and a 
PDP Context. 











Questions? 
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Thank you 
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Appendix A 

Mobile Security issues 
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Security Issues 

Network saturation (Much publicised) 

Networks down (Google for NZ Telecom XT) 

P2P can bring down RNCs 

Increasing opportunity awareness from organised crime 

Difficult to get the information to easily service warrants 

Difficult to detect and investigate Fraud 

Lack of detailed context based CDRs 

Power constraints limit handset based protection 

Traditional security tools don't work - IP centric 

Need mobile security tools - 1 MSI/I MEI centric 

Not just IDS. ..CDRs, and forensics tools 

endace 

Proprietary and confidential : Endace Technology Ltd 



















Appendix B 

Mobile Security Platform 

Design 




^ 


Proprietary and confidential : Endace Technology Ltd 










MSP : Long term plans 

• Start with G n interface for PoC and first release 

• Track active contexts 

• Map 1 P addresses to mobile 1 D (1 P<->l MSI/I MEI ) 

• Later, move towards UTRAN monitoring signalling planes 

- UMTS interfaces ( 1 ub , 1 u . ps , 1 ur ) 

- Complicated protocol stack-ups 

- This is where Infrastructure DoS attacks will take place 

- Similar problem to mal-dimentioned infrastructure 

endace 
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MSP Gn PoC : Overview 



Gn Interface is tunnelled using GTP 
IP address changes with each new PHP context 
I DS events need to map Handset SI M by I MSI 
Event information needs to contain I MSI address 
At this stage, only I P traffic is inspected for threats 
I ncludes all network element traffic (no I MSI ) 
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MSP G n : Position in UMTS Network 




RADIUS 
Server 
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— ( INTERNET J 
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on 1 physical lOGbps interface 
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MSP : Architecture 





PHP context 
database 
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Further Extensions for discussion 



UTRAN monitoring/I DS 

Lawful Intercept (via Endace LI Applications) 

Complex CDRs -> NetFlow like Extensions 

Mining of stored data by context (I MSI , I MEI , time) 

Reasonable straight forward, but work and customer 
interaction required to properly define subsequent releases 
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Appendix C 

Mobile Security Platform 

CDR examples 
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MSP : CDR Results 

• We have several CDR output formats 

• These are just 2 that we grabbed during the trial 

• Happy to discuss CDR formats that are useful to you 

endace 
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MSP : Tunnel context output 
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MSP : IMSI / IP context output 



IP address 
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Examples of IDS Mobile alerts on Gn traffic 
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High priority I DS alerts with I P & I MSI 
addresses 



ndace security Manager 1 " Dashboard 5.3 



Events Report Window I00I& Help 
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IDS Alert detail including I MSI 
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Detecting Spyware (1 : Write a SNORT rule) 
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Detecting Spyware (2 : Grab the data) 



Di?t*J forewent 4Tam&& 
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Detecting Spyware (3 



Look at the traffic) 
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Mobile Security Platform : Pilot Results 



• Pilot tool is used to analyse Network traffic 

• In this case, de-tunnelled traffic goes to Pilot 

• Able to look at all views that Pilot can provide 

• Bandwidth over time, rankings, top servers etc 

• Examples follow 
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MSP/Pilot : Bandwidth overtime (bits/sec) 
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MSP/Pilot : Traffic type over time 
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MSP/Pilot : Traffic type by rank 
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MSP/Pilot : TCP connection type and BW 
over time 
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MSP/Pilot : Top servers (bits/sec) 
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MSP/Pilot : Top servers (packets/sec) 
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MSP/Pilot : Traffic type (bits/sec) 
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MSP/Pilot : Traffic type (bits/sec) 
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MSP/Pilot : DNS requests over time 
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MSP/Pilot : Top 10 DNS Destinations 
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MSP/Pilot : DNS Response times 
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MSP/Pilot : Top server countries 
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MSP/Pilot : Top server hosts 
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MSP/Pilot : TCP server response type 
bandwidth (bits/s) 
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MSP/Pilot : Slowest servers 
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